View All R&D Articles

CryptXXX Ransomware Infection And Decryption Services

July 6, 2016

Introduced in April of 2016, CryptXXX is a new type of ransomware that targets Windows computers. It has been regularly updated to thwart decryption attempts, and it asks for an unusually high ransom.

The program encrypts files, then demands a payment for the encryption keys. If the victim does not pay, the affected files will remain permanently inaccessible. However, some CryptXXX infections can be reversed, and’s research teams are working to find new solutions for CryptXXX victims.

If you believe that your computer is infected with CryptXXX, can help. Call us now at 1-800-237-4200 to discuss your options.

What is CryptXXX Ransomware (And How Does It Work)?

CryptXXX is a form of ransomware that typically spreads through hacked websites, although several newer variants spread through email attachments. The program looks for files with certain extensions, then encrypts those files, rendering them unusable. It targets all attached drives, including networked drives and cloud service folders (such as Dropbox folders). It also creates three files to tell the victim about the infection: de_crypt_readme.txt, de_crypt_readme.html, and de_crypt_readme.bmp.

When CryptXXX encrypts a file, it changes the file extension to .crypt. It then presents a message explaining the encryption and demanding a ransom through a TOR payment site. CryptXXX asks for payment via bitcoin, which is difficult to trace.

This ransomware doesn’t advertise a name for itself (as of writing). It was named by security researchers based on an alias of the exploit kit used, and on two path strings the developers left behind in the code that contained the directory “CryptProjectXXX”. Look for the ransom messages and changed file extensions as mentioned above for identification.

Other unusual features of CryptXXX:

  • The malware looks for bitcoin wallets on the victim’s computer and steals them (rather than simply encrypting them).
  • It shares several features with Reveton ransomware, and some security experts believe that both programs originated from the same source.
  • It may disguise itself with _BigBang.dll, a legitimate DLL file associated with Cyberlink PowerDVD.
  • The payload was likely created with the Delphi programming language.

If the ransom is paid, the victim can download a decryption tool. Each victim has a unique private key, so the decryption tool for one user will not work for other infected machines.

How Does CryptXXX Ransomware Infect My System?

Most versions infect when the victim visits a hacked website, but newer versions of CryptXXX can be delivered via email. All current versions of CryptXXX ransomware target Windows computers, and all modern versions of Windows (from Windows XP to Windows 10) are susceptible.

To protect yourself from infection, you should keep your computer up to date. Use an appropriate firewall and antivirus program, but do not rely on software alone. Avoid going to unsecured or unfamiliar websites and never open email attachments from sources that you do not recognize or trust.

File extensions targeted by CryptXXX include:


This is not necessarily a comprehensive list, as new versions of CryptXXX will likely target more file formats.

What Ransom Payment Does CryptXXX Demand for Decrypting Files?

CryptXXX variants demand a payment of $500 per computer as a ransom. If the user does not pay, the ransom doubles to $1,000. If the victim continues to avoid paying, the developers claim that they will permanently delete the associated key, rendering the files permanently unusable. However, we have seen other ransomware developers make this claim without following through.

While introducing a new 3.0 variant, CryptXXX developers inadvertently broke their decryption tool. However, they quickly released an updated decryption tool.

How Can I Distinguish Between CryptXXX Versions?

The only way to tell the difference between versions 1.0, 2.0, and 3.0 of CryptXXX is to note the date of the infection. Most newer infections are version 3.0 as of this writing, but you may have an earlier version of the ransomware if your machine was infected prior to May of 2016. UPDATE: Versions 4 and 5 of CryptXXX are prevalent in the wild as of late July 2016, with some differences in appearance such as the ransom note file name and also renaming of affected files to random hex characters instead of just switching the extension to .crypt.

Can I Disable CryptXXX Ransomware Encryption?

Before deciding whether or not to pay the ransom, check whether a crack exists and whether your system’s Shadow Volume Copies contain functional copies of your files. Some versions of the program will not affect these volumes, and some files may be recoverable.

Contact our security experts to discuss your options. will determine whether your files are recoverable via conventional means and take every possible step to reverse the effects of CryptXXX ransomware. As a last resort, we can also help you organize a safe, one-time bitcoin payment to restore essential encrypted files.

As is the case with most types of ransomware, the most important factor is time. Call us immediately at 1-800-237-4200 to get started.